[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE for hosted services
- To: <pmeunier@cerias.purdue.edu>, Carsten Eiram <che@riskbasedsecurity.com>
- Subject: Re: CVE for hosted services
- From: Art Manion <amanion@cert.org>
- Date: Mon, 6 Mar 2017 17:43:36 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
- Cc: Kurt Seifried <kurt@seifried.org>, jericho <jericho@attrition.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-date: Tue Mar 7 07:45:12 2017
- In-reply-to: <1488537130.19254.11.camel@cerias.purdue.edu>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com> <ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org> <1487797534.7382.18.camel@cerias.purdue.edu> <alpine.LNX.2.00.1702221518090.19881@forced.attrition.org> <d78f00cb-280e-a674-9264-edf9ed3b4507@cert.org> <CY4PR09MB1255385CC89FEF05C100E83BE6530@CY4PR09MB1255.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702231801000.19881@forced.attrition.org> <4689d956-c638-b3cc-94cb-1e877c5dc64d@cert.org> <MWHPR09MB14858DAA97929742041D5606A1520@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702241614480.19881@forced.attrition.org> <6a9a57eb-bad0-bea7-a71b-88b059a82969@cert.org> <alpine.LNX.2.00.1702262338220.19881@forced.attrition.org> <cb66ab45-e727-98c2-23ff-d9992f096205@cert.org> <CABqVa3-+6WYhp1T0hq=-1S0=DijN_5uk09mByT5WDr6gATUwEg@mail.gmail.com> <1488299771.10461.25.camel@cerias.purdue.edu> <CACph5NX=MfqyzXOG9Fyfr5kvuJoODzCGGhH7_EbaEYZ3M+6BAg@mail.gmail.com> <1488537130.19254.11.camel@cerias.purdue.edu>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
On 3/3/17 5:32 AM, Pascal Meunier wrote: >>> Please don't make the CVE into an incident or advisory database just >>> because an ID would be handy. >> As Brian pointed out earlier, create another C*E project if wanting >> to >> track these kinds of issues in hosted solutions. I don't have a strong argument against a separate ID scheme. > Thanks. What made the CVE interesting was the intelligence in > identifying and pinpointing root causes. A broad range of issues > stemming from the absence of security goals or considerations, as in > that product, only needs an advisory. I feel that using a CVE ID for > this example would be inappropriate because the CVE was meant to be a > finer and more precise tool. This example is akin to a grand collapse > from rampant incompetence; there is nothing to analyze in detail and > nothing to do but get indignant about it on Facebook. But I do have different ideas here. CVE may have had a stronger engineering use (defect/root cause identification), but times have changes. An ID -- particularly one that lots of people know and share -- is not only handy, but critical. The ID is separate from the engineering value of the vulnerability, we're in a world now where we still have to be able to talk about the service vulnerability in big_social_media_site, even if the world never hears the engineering details. We even have to be able to talk about the nth lame XSS in some CMS. It's just one more instance of a known class of CWE, but we need to identify *it*. We also have to identify lame vulnerabilities in stupid consumer IoT gear. Because that junk is where computers live these days. "CloudPets left their database exposed publicly to the web without so much as a password to protect it." Now this specific issue, harder to say. It's an insecure configuration, which I don't think is in scope for CVE (product, service, or otherwise). Does "E is for Exposures" come into play here? MongoDB (or memcached) should get CVE IDs for insecure default configurations. - Art PS, I won't be on this week's board call.
- References:
- Re: CVE for hosted services
- From: Carsten Eiram <che@riskbasedsecurity.com>
- Re: CVE for hosted services
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CVE for hosted services
- Prev by Date: RE: clarification / statement on recent CVE abstraction policy changes and more
- Next by Date: RE: clarification / statement on recent CVE abstraction policy changes and more
- Previous by thread: Re: CVE for hosted services
- Next by thread: CVEnew Twitter Feed
- Index(es):
